feat(agw): add implicit auditlog usage on agw#209
Conversation
a9e31e7 to
5515bea
Compare
BSD awk (macOS) requires the '/' inside a character class to be escaped as '\/'. GNU awk accepts either form. Discovered during live run on PR #209. Impact: check-testing-depth now returns valid JSON on macOS orchestrate runs; previously it silently emitted an awk error and aggregate.sh skipped the report.
Discovered during live run against PR #209. Multiple checks used the pattern: count=$(echo "$diff" | grep -E 'pattern' 2>/dev/null | wc -l | tr -d ' ') Under 'set -o pipefail', when grep finds zero matches it returns exit 1, which propagates through the pipe. Under 'set -e', the containing script exits silently — no stderr, no stdout, exit code 1. The 'aggregate.sh skips invalid JSON' safety net (added earlier) masked this by producing a summary that omitted the failing checks. Fix: wrap each grep-in-pipe with { grep … || true; } so zero-match returns success. Affects: - check-deps-supply.sh (count_lines helper) - check-pr-size.sh (count_lines helper + mods_count) - check-telemetry.sh (client_files, test_files, new_decorators) - check-testing-depth.sh (new_modules) - check-deletion-hygiene.sh (hits) Impact: live orchestrate.sh runs now emit valid JSON for all 20 checks instead of 15/20. No FP regression (all fixes preserve semantics). Discovered by: real dry-run on cloud-sdk-python PR #209 (Ricardo's agentgateway auditlog PR).
Discovered live on cloud-sdk-python PR #209 (Ricardo, agentgateway auditlog). The check was counting string occurrences from the on-disk AST — global to the file — then anchoring the finding to the first occurrence's line number. When a PR (a) shifts line numbers by adding upstream code and (b) does not touch any of the actual repeated-string lines, PY-CON-01 fires for tech debt that pre-existed the PR. Fix: read $ADDED_LINES_FILE (already exported by orchestrate.sh) inside check_con_01. Filter each literal's occurrence list to lines actually in the PR's added set. Only fire when ${filtered} is non-empty AND total occurrences (across file, unchanged) still >= threshold. Anchor line becomes the first added-line occurrence. Backward-compat: if ADDED_LINES_FILE is unset (bats tests exercising the lib directly), fall back to the legacy full-file behavior. Two new regression tests pin both branches (untouched pre-existing repetition = no fire; at least one occurrence on added line = fires with correct anchor). Bats: 81/81 green on both repos.
| logger.debug("Failed to create audit client", exc_info=True) | ||
| return None | ||
|
|
||
| def _send_audit_event( |
There was a problem hiding this comment.
Create a specific py file for audit log functions.
|
Update user guide |
| ) | ||
| except Exception: | ||
| logger.debug("Failed to create audit client", exc_info=True) | ||
| return None |
There was a problem hiding this comment.
Maybe this should be a configuration, we need to create a pattern for implicit usage.
| self, | ||
| user_token: str | Callable[[], str] | None = None, | ||
| app_tid: str | None = None, | ||
| user_id: str | None = None, |
There was a problem hiding this comment.
Not needed. Only run_mcp_tools needs to be audited in my opinion.
| for tenant-scoped token exchange. | ||
| TODO: This parameter's requirement is still being clarified with | ||
| the IBD team and may be removed if unnecessary. | ||
| user_id: User identifier recorded in the audit event when an |
| tenant=tenant_subdomain, | ||
| _telemetry_source=Module.AGENTGATEWAY, | ||
| ) | ||
| except Exception: |
There was a problem hiding this comment.
[FLAG] PY-EL-02
except block does not end with raise — swallowing? Add re-raise or comment justifying suppression
| event.object_type = "mcp-tool" | ||
| event.object_id = object_id | ||
| self._audit_client.send(event) | ||
| except Exception: |
There was a problem hiding this comment.
[FLAG] PY-EL-02
except block does not end with raise — swallowing? Add re-raise or comment justifying suppression
SDK Module Review
Findings (2)
2 finding(s): 2 posted as inline comment(s) on the affected lines, 0 not tied to a code line (listed above). Generated by sdk-review-skill · v1 |
Description
Implicit audit log emission in AgentGatewayClient - the client now automatically creates an AuditClient on initialization (using the LoB destination) and sends a DataAccess audit event after every successful list_mcp_tools() and call_mcp_tool() call. The tenant ID is read from the telemetry context var (get_tenant_id()).
Related Issue
N/A
Type of Change
Please check the relevant option:
How to Test
Checklist
Before submitting your PR, please review and check the following:
Breaking Changes
N/A
Additional Notes
N/A